Directory service providers
Content Platform Engine retrieves security data from directory servers for the purpose of authenticating security principals and authorizing users and groups. Both authentication and authorization rely on a directory service repository.
- Introduction
Content Platform Engine does not implement its own authentication module. Instead, it uses the Java™ 2 Enterprise Edition (Java EE) application server's authentication mechanism. Before clients can log in to a Content Platform Engine server, the application server's authentication providers must be configured to point to specified directory servers.
Content Platform Engine security objects, such as realms, groups and users, are stored in directory servers. Content Platform Engine retrieves those objects through a Directory Service Provider layer. There are different provider implementations for different types of directory servers.
A directory server is divided into partitions, each of which is called a naming context (or namespace). There are different types of naming contexts, such as the configuration naming context which holds configuration information, and data naming contexts, which contain all directory data. Each data naming context is defined as a Content Platform Engine realm. Each realm contains groups and users.
FileNet® P8 has been designed and extensively tested and optimized for directory servers with very large numbers of users. Optimization has particularly focused on FileNet P8 querying for accounts using pattern matching (starts with, exact match) and whether the search is optimized for short name or display name.
- Terminology and basic concepts
- Distinguished Name
- A name that uniquely defines a directory entry within an LDAP server. The DN contains one
component for each level of the directory hierarchy from the root down to the level where the entry
resides. A typical distinguished name might be:
CN=StephenHawking,CN=Users,DC=Filenet,DC=Com. This distinguished name identifies the Stephen Hawking user object in the Filenet.com domain.Remember: Follow the LDAP standards for characters that are allowable in a DN. For example, do not use encoded characters, and do not use extra backslashes or commas that are not being used as delimiters in the value list. - User Principal Name
- A user principal name (UPN) is a friendly name that is short and easy to remember. The user principal name consists of a shorthand name that represents the user and typically the DNS name of the domain where the user object resides, or any other designated name.
- Short Name
- Short name is a property in both Content Platform Engine User and Group classes:
- User.ShortName
- Group.ShortName
User short names and group short names must be unique across all configured directory servers.
User short name is also persisted to a Content Platform Engine object store as a property such as Document.Creator. User.ShortName and Group.ShortName are configurable through the Configuration Manager, the Content Platform Engine API, and Administration Console for Content Platform Engine.
Values for user and group short names have the following restrictions:- The short name cannot be a null value.
- The short name cannot contain any of the following special characters: = \.
- Realm
- In this document the term realm describes a base object for searching the directory. When Content Platform Engine interacts with a directory service, most operations are done in the context of a realm.
- FileNet P8 domain
- When you install and configure Content Platform Engine, you create a new FileNet P8 domain which provides the security context for authenticating applications.
- Authentication Provider
- All interaction with the directory server that has been configured during installation as the FileNet P8 authentication provider is read-only and is initiated only from Content Platform Engine servers.
- Login
- FileNet P8 lets you configure a login supporting a number of different parameters. Because authentication and login attributes are persisted in databases, workflow definitions, and stored searches you cannot change the attribute at a later time, including during upgrade. See the sections describing logging on in the topic that describes your directory server.
- Find
- Documentation refers frequently to finding users and groups. This refers to the activities of the Administration Console for Content Platform Engine Select Users and Groups dialog box, which Administration Console for Content Platform Engine uses to search for accounts to add to the ACL of an object. On the Content Platform Engine API level, finding refers to the FindUsers and FindGroups methods.
- SSL
- You should configure SSL to avoid passing credentials in clear text between the FileNet P8 servers and the directory server.
- Group support
- FileNet P8 supports groups that can include any number of users and other nested groups. Also, it honors any account states and restrictions (such as whether disabled and login hours) defined by the directory server.
- Configuration Overview
Directory configuration for Content Platform Engine is conducted in the following two areas: authentication and authorization. Content Platform Engine does not support different types of directory servers in the same Content Platform Engine domain.
- Directory Configuration for Authentication
Directory configuration for authentication, including configuring login formats, occurs in the application server's authentication providers and is done using FileNet P8 Configuration Manager.
Content Platform Engine server does not implement its own authentication module. Instead, it uses a Java EE application server's authentication mechanism.
- Directory Configuration for Authorization
A GCD administrator (gcd_admin) can log in to Administration Console for Content Platform Engine and configure the direct connection between Content Platform Engine and the directory service.
Third-party developers can also directly call the Content Platform Engine APIs to automatically configure it.